I am using the strpos function to validate a url that is submitted by a user and I want to make sure I'm not missing anything that would allow the user to bypass the validation and submit a url that is inappropriate.
Take the following as an example, if I only want a user to be able to input a url associated with the youtube domain, I don't want them to be able to put a wildcard (*) or something in that would "trick" the strpos function.
$url = $request->input('url');
// Check if Youtube url is found
if (strpos($url, 'http://youtube.com') > -1)
{
// some code
}
// some code
Thanks!
strpos returns false when in a not found condition and 0 if the string appears in the first column, which also looks like false to PHP, so it would be more accurate to use === or !==
$url = $request->input('url');
// Check if Youtube url is found
if (strpos($url, 'http://youtube.com') !== FALSE)
{
// some code when youtube is found in url
}
You would be better off using a Regular expression.
^(https?\:\/\/)?(www\.)?(youtube\.com|youtu\.?be)\/.+$
Try it out.
Remember to test with type safe equation.
strpos will find the position of first occurrence in the string. So
if there is a match in the beginning of string (position 0)
if (strpos($url, 'http://youtube.com') > -1)
will return 0 which will be interpreted as false. You're in trouble here.
Instead, do it type safely:
if (strpos($url, 'http://youtube.com') !== false)
This means no matter where in the string your substring is found, it will be considered true and you know there is a match.
Related
I was looking into trying to revise some old code in an application that I work on. Currently the app parses out portions of a response string received from an API to determine if a request is good or if it failed. The response from the API sends back a string that contains the characters "DP" if the request was processed successfully. Right now there's a line of code in the app that is as follows:
if(stripos($result, "DP") !== false)
This is working fine now, but I can foresee an issue coming from this. stripos can return a "falsey" value even when the needle is in fact found within the haystack. Since the haystack string is zero-indexed with stripos the function will return 0 if the characters "DP" are found at the very beginning of the haystack string, which will incorrectly be read as false. This code is working now, but if for any reason the developers who maintain the API we work with decide to reformat their response, we will have problems. I was thinking of changing this to the following:
if(stristr($result, "DP") !== false)
From what I can tell this should be OK because according to php.net stristr only returns false if the needle is not found in haystack. I'm curious though if anybody has seen any problems similar to the one described above occurring with the stristr function.
0 doesn't equal false if you use === (or !==).
See this fiddle for proof: http://phpfiddle.org/main/code/nih-esg
More info on the PHP site here: http://www.php.net/manual/en/language.operators.comparison.php
Since your using !== it is a non issue, since the tripple operators checks both value and type
false != 0 : false
false !== 0 : true
<?php
$result="DP";
if (stripos($result, "DP") !== false)
{
echo stripos($result, "DP");
}
?>
Returns 0 from within brackets.
I am wondering if this is a proper way to check, if a string contains nothing but an URL:
if (stripos($string, 'http') == 0 && !preg_match('/\s/',$string)) {
do_something();
}
stripos() checks if the string starts with "http"
preg_match() checks if the string contains spaces
If not so, I assume that the string is nothing but an URL - but is that assumption valid? Are there better ways to achieve this?
Use filter_var()
if (filter_var($string, FILTER_VALIDATE_URL)) {
// you're good
}
The filters can be even more refined. See the manual for more on this.
In PHP there is a better way to validate the URL:
http://www.php.net/manual/en/function.filter-var.php
if(filter_var('http://example.com', FILTER_VALIDATE_URL)) {
echo 'this is URL';
}
To more securely validate URLs (and those 'non-ascii' ones), you can
Check with the filter (be sure to check the manual on which filter suits your situation)
Check to see if there are DNS records
$string = idn_to_ascii($URL);
if(filter_var($string, FILTER_VALIDATE_URL) && checkdnsrr($string, "A")){
// you have a valid URL
}
I am using stripos to modify an active navigation class,
<?php if (stripos($_SERVER['REQUEST_URI'],'/members/login') !== false) {echo 'class="active"';} ?>
It works like a charm. However I need to add another REQUEST_URI to check in the string and cannot figure out how to properly format the code.
I have tried:
, '/members/login | /members/members'
and others without success.
You'll just have to do it twice:
if(
stripos($_SERVER['REQUEST_URI'],'/members/login') === 0
||
stripos($_SERVER['REQUEST_URI'],'/members/members') === 0){ ...
Note that I switched to ===0 as I presume you wouldn't want '/someotherpartofyoursite/members/members' to match presumably. If you want it in 1 call, you can use regular expressions (see preg_match()), but this is fast & clear enough in my opinion.
If the list becomes longer, it depends on whether these are the whole paths, and if they are, something like this could be more suitable:
$urls = array('/members/login','/members/members');
if(in_array(parse_url($_SERVER['HTTP_REQUEST_URI'], PHP_URL_PATH),$urls)){....
... but not knowing your url scheme that's a guess.
You can do that in single call to preg_match as well like this:
if (preg_match('#/members/(?:login|members)#i', $_SERVER['REQUEST_URI'])) {
// matched
}
My latest issue involves trying to find "http://" in a variable. This variable contains the contents of a comments section on a clients website. I have seen all kinds of answers but none of them seem to work. I looked at a few other posts on here and I have yet to get the best answer. Here is what I have so far:
if(strpos($comments, 'http://') == true) {
// Does stuff here
}
I noticed other people use preg_match and some said to do it in an array. I am getting confused, too many options. Just kidding. I would like some clarification though and any advice would be greatly appreciated.
You'll need to say:
if(strpos($comments, 'http://') !== false) {
...since it can return 0 (which is falsey) if http:// is at the beginning of the string.
NOTE: This will only find the first occurrence of http:// in the string.
Take a close look at the reference: http://php.net/manual/en/function.strpos.php
You need to change code like that:
if(strpos($comments, 'http://') === false) {
//no link
}
because strpos return integer which is position your string.
Example:
full string: "http://stackoverflow.com hello"
you finding: "http"
Naturally it return 0.
But
full string: "ahttp://stackoverflow.com"
you finding: "http"
it return 1.
So you must use === operator to check is really 'boolean false'.
If you try to check with == operator, you maybe get fail because it get 0 as false.
more detail: http://php.net/strpos
I found this was a better match: (recommended by phpstorm ide)
if(str_contains($e, '1062 Duplicate entry')) {
}
I want to find a string like 'Jobs' in a title. Suppose i have 10 rows in a file.
i.e
Jobs for Accountant.
Featured Jobs for public Services.
Website Development Jobs in Delhi.
.
.
.
.
How to find jobs keyword in these type of titles?
You can use strpos
Just check if (strpos($string,$search)===0) and you are good
You can use strpos.
if(strpos($string, 'Jobs') !== false)
Make sure you do it exactly like that, since if(strpos($string, 'Jobs') would return 0 if the string started with 'Jobs', which would be casted to the boolean value of 0: false.
Use substr() to achieve this. Here is the manual php.net/manual/en/function.substr.php
You can use strpos. Look here for documentation.
it reurns the first occurence of what you are seraching in a string.
you can do:
$pos = strpos($string, "jobs")
and it returns the offset where it found "jobs".
Then you can $pos to look for further occurences passing it to the function
$pos2 = strpos($string, "jobs", $pos+1)
if you want to check if it doesn't find a string you must use === because if it finds the string in the first position it returns 0 (that if you just check with == resolves to false)
Use regular expressions.
Here is a tutorial: http://www.phpf1.com/tutorial/php-regular-expression.html
Or, just google php regular expressions for all the info you need.